Jun 10, 2025Ravie LakshmananPhishing / Cybercrime
The financially motivated risk actor often known as FIN6 has been noticed leveraging faux resumes hosted on Amazon Net Providers (AWS) infrastructure to ship a malware household known as More_eggs.
“By posing as job seekers and initiating conversations by platforms like LinkedIn and Certainly, the group builds rapport with recruiters earlier than delivering phishing messages that result in malware,” the DomainTools Investigations (DTI) group mentioned in a report shared with The Hacker Information.
More_eggs is the work of one other cybercrime group known as Golden Chickens (aka Venom Spider), which was most just lately attributed to new malware households like TerraStealerV2 and TerraLogger. A JavaScript-based backdoor, it is able to enabling credential theft, system entry, and follow-on assaults, together with ransomware.
One of many malware’s identified clients is FIN6 (aka Camouflage Tempest, Gold Franklin, ITG08, Skeleton Spider, and TA4557), an e-crime crew that initially focused point-of-sale (PoS) methods within the hospitality and retail sectors to steal cost card particulars and revenue off them. It is operational since 2012.
The hacking group additionally has a historical past of utilizing Magecart JavaScript skimmers to focus on e-commerce websites to reap monetary info.
Based on cost card providers firm Visa, FIN6 has leveraged More_eggs as a first-stage payload way back to 2018 to infiltrate a number of e-commerce retailers and inject malicious JavaScript code into the checkout pages with the final word objective of stealing card information.
“Stolen cost card information is later monetized by the group, bought to intermediaries, or bought brazenly on marketplaces comparable to JokerStash, previous to it shutting down in early 2021,” Secureworks notes in a profile of the risk actor.
The newest exercise from FIN6 entails using social engineering to provoke contact with recruiters on skilled job platforms like LinkedIn and Certainly, posing as job seekers to distribute a hyperlink (e.g., bobbyweisman[.]com, ryanberardi[.]com) that purports to host their resume.
DomainTools mentioned the bogus domains, which masquerade as private portfolios, are registered anonymously by GoDaddy for an additional layer of obfuscation that makes attribution and takedown efforts tougher.
“By exploiting GoDaddy’s area privateness providers, FIN6 additional shields the true registrant particulars from public view and takedown group,” the corporate mentioned. “Though GoDaddy is a good and extensively used area registrar, its built-in privateness options make it simple for risk actors to cover their identities.”
One other noteworthy side is using trusted cloud providers, comparable to AWS Elastic Compute Cloud (EC2) or S3, to host phishing websites. What’s extra, the websites include built-in visitors filtering logic to make sure that solely potential victims are served a hyperlink to obtain the supposed resume after finishing a CAPTCHA test.
“Solely customers showing to be on residential IP addresses and utilizing widespread Home windows-based browsers are allowed to obtain the malicious doc,” DomainTools mentioned. “If the customer originates from a identified VPN service, cloud infrastructure like AWS, or company safety scanners, the positioning as a substitute delivers a innocent plain-text model of the resume.”
The downloaded resume takes the type of a ZIP archive that, when opened, triggers an an infection sequence to deploy the More_eggs malware.
“FIN6’s Skeleton Spider marketing campaign reveals how efficient low-complexity phishing campaigns will be when paired with cloud infrastructure and superior evasion,” the researchers concluded. “Through the use of sensible job lures, bypassing scanners, and hiding malware behind CAPTCHA partitions, they keep forward of many detection instruments.”
Discovered this text attention-grabbing? Observe us on Twitter and LinkedIn to learn extra unique content material we publish.
